Secure data tagging systems

ABSTRACT

A system is disclosed for secure communication between an interrogator and an RFID tag. The system includes means for singulating the tag in a population of RFID tags and means for extracting from the tag, identity data adapted to uniquely identify the tag. The system further includes means for securely communicating the identity data to a secure database, means for providing authentication data by the database and means for securely communicating the authenticating data to the interrogator. The system also includes means for providing a further communication between the tag and the interrogator, and wherein at least one stream of data between the tag and the interrogator includes random data generated via a random physical process. The tag and database may each include means for maintaining a count of secure authentications. The count may be separately maintained by the tag and database and may be incremented following each secure authentication. A method for secure communication between an interrogator and an RFID tag is also disclosed.

CROSS REFERENCE TO RELATED APPLICATION

This application is a continuation of International Application No.PCT/AU02/01671, filed Dec. 10, 2002, the disclosure of which is herebyincorporated by reference herein.

FIELD OF THE INVENTION

The present invention relates to an object management system whereininformation bearing electronically coded radio frequency identification(RFID) tags are attached to objects which are to be identified, sorted,controlled and/or audited. In particular the present invention relatesto a system for authenticating RFID tags including the information thatis contained in the tags.

BACKGROUND OF THE INVENTION

The object management system of the present invention includesinformation passing between an interrogator which creates anelectromagnetic interrogation field, and the electronically coded tags,which respond by issuing a reply signal that is detected by theinterrogator, decoded and consequently supplied to other apparatus inthe sorting, controlling or auditing process. The objects to which thetags are attached may be animate or inanimate. In some variants of thesystem the interrogation medium may be other than electromagnetic, suchas optical and/or acoustic.

Typically each tag in a population of such tags may have an identitythat is defined by a unique number or code that is assigned to each tag,in a global numbering scheme. The tags may also carry other fixed orvariable data. Communications between the interrogator and tags is via aradio-frequency electromagnetic link that is inherently insecure andsusceptible to eavesdropping, or the insertion of bogus signals.

Under normal operation the tags may be passive, i.e. they may have nointernal energy source and may obtain energy for their reply from theinterrogation field, or they may be active and may contain an internalenergy source, for example a battery. Such tags respond only when theyare within or have recently passed through the interrogation field. Theinterrogation field may include functions such as signalling to anactive tag when to commence a reply or series of replies or selecting asingle tag among a population of such tags, or in the case of passivetags may provide energy, a portion of which may be used in constructingthe reply.

One example of an insecure electronic tag reading system is illustratedin FIG. 1. In FIG. 1 an interrogator 11, containing a transmitter andreceiver, both operating under a controller, communicate viaelectromagnetic means with a code responding electronic tag 10. Thissystem has a disadvantage in that information passing between tag 10 andinterrogator 11 is directly related to information stored within tag 10.A further disadvantage is that the process of communication between tag10 and interrogator 11 is susceptible to eavesdropping. Because suchcommunication is normally carried out by electromagnetic waves, aclandestine receiver located nearby may make a record of thecommunication and deduce the data content of a legitimate tag. Knowledgeof such data content may subsequently allow counterfeit tags to bemanufactured by an unscrupulous party or parties. Such tags may appearlegitimate because they can generate data content that isindistinguishable from genuine tags. Eavesdropping may take place eitheron interrogator to tag communication or tag to interrogatorcommunication. Because of a substantial difference in signal levelsinvolved, communication in the direction from interrogator to tag ismuch more vulnerable to eavesdropping than is communication in thereverse direction.

In some systems it is important to guard against eavesdropping in one,other or both directions or even to conceal the fact that an informationextraction process is under way. Guarding against eavesdropping isparticularly important when private information is being extracted fromthe tag.

Communication between the interrogator and tag is frequently via anexchange of messages in a half duplex mode, but in some systems singlebits of data may alternately be sent between interrogator and tag. Inthis case it is common to regard the process of extraction of data fromthe tag as equivalent to exploration of a binary tree as illustrated inFIG. 2. In FIG. 2 different bits of a tag identity or tag internal datacorrespond to different levels of the tree, and a single tag withparticular data corresponds to a particular path through the tree.Different paths through the tree correspond to different tags withdifferent data.

As discussed above, it is desirable to ensure that tags are authentic,and not substitute tags which produce easily predictable responses ofnormal unencoded identification tags. An ability to provide suchassurances may be required in product authentication, baggagereconciliation, secure entry systems and the like.

In a number of situations it may also be important that the flow ofinformation between the tag and the interrogator is not meaningful to aneavesdropper. This may include situations where economic or militaryadvantage can be gained from such information becoming known, or whenowners of goods with attached tags desire to keep their ownershipprivate. Hence, it is desirable to guard against eavesdropping on theprocess of communication between an electronic tag and its interrogator.

One defence against eavesdropping employs encryption of data passingbetween interrogator and tag. However, installation of complex circuitswith encryption engines in the tag poses excessive demands on tagsdesigns, which should be maintained as simple as possible for reason ofcosts. Moreover, even if such encryption engines are used, availableencryption algorithms may still allow determined analysts to determinethe parameters of those algorithms from eavesdropping operations.

SUMMARY OF THE INVENTION

The present invention provides a system that may determine the identityor data of a tag in a manner that defeats efforts at eavesdropping onthe electromagnetic communication link. The system of the presentinvention may determine that the tag is genuine and not counterfeit. Thesystem of the present invention may provide a relatively high level ofsecurity that is comparable to systems that make use of non re-usedtruly random codes. The system of the present invention may producethese results with a relatively simple and low cost tag. The system mayalso be capable of disguising the fact that an information extractionprocess is in progress.

The system of the present invention may, with addition to a tag of asimple and relatively small size writeable memory and acceptance of alimitation that there may be a limited number of authentications betweenoperations of recharging the tag in a secure environment, provide anauthentication system that matches the security of a one-time code. Thesystem may also be used to extract in a secure way variable data fromRFID tags. As part of the system, the interrogator may interact not onlywith the tag but also through secure communications with a securedatabase containing for each tag, security information used in theauthentication process (refer FIG. 3).

Prior to a tag being put into service, one or more random codes may begenerated for each tag by a truly random physical process. The randomcodes may be used to provide authentication test keys or numbers. Therandom codes may be loaded in a secure way into both the database andeach tag. In the database, the random codes for each tag may beassociated with an unencrypted tag serial number, or a separate butrandomly chosen number that may be read from the tag by conventional taginterrogation processes.

In one embodiment communication between an interrogator and a single tagmay be achieved through spatial separation between tags and theirplacement in close proximity to the interrogator.

The authentication system of the present invention may achieveextraordinary levels of security without a requirement to install withinthe tags complex circuits of encryption engines. The system maytherefore be suitable for installation in relatively low cost RFID tags.The extraordinary levels of security are available because the systemmakes use of utterly random codes generated by a truly random physicalprocess. The codes therefore will not be repeated more often than randomnumbers generated from truly random physical processes will be repeated.

According to the present invention there is provided a system for securecommunication between an interrogator and an RFID tag, said systemincluding:

means for singulating said tag in a population of RFID tags;

means for extracting from said tag, identity data adapted to uniquelyidentify said tag;

means for securely communicating said identity data to a securedatabase;

means for providing authentication data by said database;

means for securely communicating said authenticating data to saidinterrogator; and

means for providing a further communication between said tag and saidinterrogator, wherein at least one stream of data between said tag andsaid interrogator includes random data generated via a random physicalprocess.

The tag and the database may each include means for maintaining a countof secure authentications. The count may be separately maintained by thetag and the database and may be incremented following each secureauthentication.

According to a further aspect of the present invention there is provideda method for secure communication between an interrogator and an RFIDtag, said method including: singulating said tag from a population ofRFID tags; extracting from said tag, identity data adapted to uniquelyidentify said tag;

securely communicating said identity data to a secure database;

providing authentication data by said database;

securely communicating said authentication data to said interrogator;and

providing a further communication between said tag and saidinterrogator, wherein at least one stream of data between said tag andsaid interrogator includes random data generated via a random physicalprocess.

The method may include the step of maintaining a count of secureauthentications. The count may be separately maintained by the tag andthe database and may be incremented following each secureauthentication.

DESCRIPTION OF A PREFERRED EMBODIMENT

A preferred embodiment of the present invention will now be describedwith reference to the accompanying drawings wherein:

FIG. 1 shows a conventional electronic tag reading system;

FIG. 2 shows how interrogation of an electronic tag may be viewed as anexploration of a binary tree;

FIG. 3 shows an electronic tag reading system augmented by communicationwith a secure database;

FIG. 4 shows one form of architecture of a securely authenticable tag;

FIG. 5 shows a memory structure of a securely authenticable tag; and

FIG. 6 shows a tag reply generator in a securely authenticable tag.

FIG. 1 shows a tag reading system that is inherently insecure. It hasthe disadvantage that eavesdropping on the process of communicationbetween electronic tag 10 and its interrogator 11, which is normallycarried out by electromagnetic waves, allows a clandestine receiver thatmay be located nearby to make a record of the communication, and deducethe data content of a legitimate tag, thus allowing apparentlylegitimate tags to be manufactured by unscrupulous parties.

FIG. 3 shows one embodiment of a tag reading system that has been madesecure. In operation of the system shown in FIG. 3, interrogator 20seeks the identity of tag 21 over an insecure radio frequencycommunications link represented by bold arrows 22, 23. Tag 21 respondsto interrogator 20 with its identity from tag identity register 40(refer FIG. 5) over the insecure radio frequency link. Interrogator 20sends the identity of tag 21 to secure database 24 over preferablysecure data link 25. For some transmissions a non-secure data link maybe used. The data stored in tag identity register 40 may include a fixedand/or variable data string and may include encrypted data and/or datastored in tag data register 41 (refer FIG. 5).

Database 24 uses its data on tag identity, its history ofauthentications, and stored authentication test keys to select a testkey to be sent to tag 21. The selection may be sequential ornon-sequential and may be based on records of the number of priorauthentications which are maintained independently but in synchronism bydatabase 24 and tag 21. In some embodiments a genuine test key sent tothe tag may be mixed with a non-authentic test key such as before orafter the genuine test key is sent to the tag.

The selected authentication test key is sent from database 24 tointerrogator 20 over the preferably secure data link 25. Interrogator 20then sends the test key to tag 21 over insecure radio link 22. Tag 21produces an authentication reply to interrogator 20 over insecure radiolink 23.

FIG. 4 shows details of tag architecture incorporated in tag 21. Tag 21includes common receiving/transmitting antenna 30 connected to receiver31 via rectifier 32. An output of receiver 31 is operably connected toauthentication/reply circuit 33. Authentication/reply circuit 33includes memory 34 and reply generator 35. Reply generator 35 isoperably connected to modulator 36. Modulator 36 is arranged such thatit influences the impedance presented to antenna 30 via rectifier 32.

FIG. 5 shows the memory structure associated with memory 34 of tag 21.Memory 34 includes a tag identity register 40, a tag data register 41,an authentication test keys register 42, an authentication reply codesregister 43, a singulation string register 44 and a scrambling stringregister 45. The tag identify, tag data, singulation string andscrambling string registers 40, 41, 44 and 45 may each include one rowof data containing 64 bits. The test keys register 42 and the replycodes register 43 may each include 16 rows of data each containing 64bits.

FIG. 6 shows details of authentication/reply circuit 33 in tag 21.Authentication/reply circuit 33 includes test unit 50 receiving datafrom receiver 31. Test unit 50 is operably connected to data selector 51for selecting data from authentication reply memory 52 or from randomreply generator 53 according to whether an authentic or a not-authenticreply signal respectively, is to be sent to modulator 36 andsubsequently to interrogator 20. Test unit 50 receives fromauthentication test memory 54, which includes test keys register 42, acurrent test key determined by a count of authentications maintained inevents counter 55.

The response is generated by the following rules. If a test key receivedby the tag matches a test key stored in memory register 42 at a location(eg. row) determined by a count of authentications maintained by thetag, an authentication reply code is selected from a correspondinglocation in authentication reply codes register 43 included inauthentication reply memory 52.

If the test key received by tag 21 does not match the test key stored inmemory register 42 at the location determined by the count ofauthentications maintained by the tag, the authentication response ofthe tag is produced by random reply generator 53.

In the case of a genuine authentication, the count of tagauthentications maintained by events counter 55 and a separate count ofauthentications maintained by database 24 are each incremented. For thispurpose interrogation power to tag 21 may be maintained at an adequatelevel and for an adequate time to allow a non-volatile memory in the tagassociated with events counter 55 that maintains a count of tagauthentications to be re-written with its incremented value. In apreferred realisation of the system, this count may be updated before anauthentication reply (authentic or not-authentic) is provided by tag 21.Database 24 and tag 21 may signal between them the count or number ofauthentications.

The authentication reply is sent to secure database 24 which may checkthe reply of the tag against a selected row in the record of expectedtag replies which is maintained in database 24, the selection dependingon the count of authentications maintained by database 24, and maygenerate an authentic or a not-authentic signal.

The authentic or not-authentic signal is transmitted to interrogator 20over secure data link 25. Interrogator 20 signals identity of tag 21 andsends an authentic or not-authentic signal to user 26 or whatever agentuses the output of interrogator 20. In some circumstances the authenticor not-authentic signal may be sent to an entity other than interrogator20.

In other circumstances it may be desirable to modify the contents ofmemories 52, 54 in tag 21 from a site that is remote from database 24.This may be accomplished if communication between interrogator 20 andtag 21 can be made secure. One way to establish secure communication maybe to provide a closed or electromagnetically shielded communicationchamber around interrogator 20 from which electromagnetic waves thatcommunicate to and from tag 21 do not radiate to the outside world, andto place tag 21 inside the closed chamber for the duration of rechargingits memory contents.

In such a system interrogator 20, with assistance of secure database 24,may explore correctness of several entries in the authentication memoryof tag 21 before signalling to tag 21 that its authentication memory maybe written.

To support that exploration, events counter 55 is initialised to zeroeach time tag 21 receives power, and is incremented each time asuccessful authentication occurs during a period of continuous tagpowering, until a predetermined final value is reached, whereupon aregister that permits writing to the memory of tag 21 is enabled. Theauthentication memory of tag 21 and authentication count number may thenbe re-written by processes familiar to those skilled in the art ofelectronic tag design.

In another embodiment, communication with a single tag may be achievedby initially communicating with a population of tags, and thensingulating a single tag by various techniques known in the industry astag selection or singulation. In one of those techniques, transmission,without interruption, of a selection or singulation string, may takeplace. After the selection string is transmitted, it may be compared inthe tags with an internal singulation string, and only a tag in which amatch is obtained will take part in further communication. In anothersuch technique, known as tree scanning, as illustrated in part in FIG.2, the interrogator may transmit bit by bit a singulation string, andmay receive responses from tags. The transmitted data may be matchedagainst a singulation string in the tags, and tags which have a mismatchin their singulation string and that transmitted by the interrogatorbecome progressively unselected, until only a single tag is selected.

In common embodiments, a unique tag identity may be used as thesingulation string. Authentication test keys and/or tag data mayadditionally or alternatively be used in singulation. The interrogatormay at the first authentication operation read the unencrypted tagidentification number or singulation string, so it knows which tag isbeing processed.

When a high level of security is desired, singulation that usesinterrogator transmissions related to tag identity might be undesirable.In such cases, the tag may contain a singulation string, not related toits identity, used in a tree scanning process. The singulation stringmay be originally programmed into the tag, or may be automaticallygenerated within it. The tags may echo the singulation string to theinterrogator, but such echoes are relatively weak and are lesssusceptible to eavesdropping than are interrogator transmissions, andare in any case not meaningful to an eavesdropper except that they mayindicate that a singulation is in progress.

During singulation, the singulation string may in part be provided bythe tag, and followed by the interrogator, that is, the tag leads theway down the tree scan, and the interrogator follows. Alternatively, thesingulation string may be provided by the interrogator, that is, theinterrogator points the way down the tree scan, and the tag follows aslong as singulation bits match. In both cases, with a suitable design oftag that ignores certain interrogator signals, the interrogator maytransmit incorrect singulation information so as to disguise the factthat genuine singulation is in progress, and thus which tag replies werethe correct ones. Even though non re-use of singulation or response datagives great security, this procedure has an advantage of adding furtherconfusion to an eavesdropping process.

For greater security, the tag may contain a number of singulationstrings that are not re-used. The singulation string may serve as a keyto a secure database containing the tag identity and the correct tagreply to an authentication inquiry. For greater security the tag maycontain a number of different correct tag replies that are not re-used.When the tag is singulated by the appropriate singulation string, andprovides one of the correct tag replies, and those elements are comparedin the secure database, the tags may be regarded as authentic.

If there is not a match between singulation bits transmitted to the tagand the appropriate set of singulation bits occurring within in the tag,the tag response may be a random response of the same length as theauthentication response. After consulting the secure database, andidentifying which tag is being dealt with, the interrogator may send oneor more data streams to the tag. One of the data streams should matchthe first of a series of tag authentication test keys stored in memoryregister 42.

For an interrogation in which there is a match of transmitted data totag authentication test key, the tag may respond with a returnauthentication code known only to the database. There may then be anincrementation in the tag and in the secure database of the content ofnon-volatile counters, which determine which of several authenticationtest keys is next in force.

For interrogations which do not so match, such as may occur when annon-authentic tag is interrogated, or a non-authentic interrogatorperforms the interrogation, the tag may respond with a random code ofthe same length and general structure as an authentic response.

In this way, eavesdropping on the transaction may not provide any clueas to the next correct authentication test key, or next tagauthentication response. All an eavesdropper will detect is a sequenceof apparently random transactions.

In a variation permitting tag identity or data to be disguised, thememory may contain, as shown in FIG. 7, in addition to its secretsingulation string and secret authentication string a secret scramblingstring. Using appropriate variations on the connections shown in FIG. 7,the secret scrambling string may be used to modulate (digitally, an XORoperation) the tag reply when tag identity or data is sought. In oneembodiment, the authentication string may be used as the scramblingstring, or as an input to a pseudo random string generation process,another input being the number of genuine tag authentications, the countbeing maintained separately within the tag and within the securedatabase.

The use of a scrambling string may ensure that no aspect of interrogatortransmission or tag response is of significance to an eavesdropper. Ithas an advantage in that variable data present in the tag, but not yetpresent in the database, may be extracted to the database in a totallysecure way.

Finally, it is to be understood that various alterations, modificationsand/or additions may be introduced into the constructions andarrangements of parts previously described without departing from thespirit or ambit of the invention.

1. A system for secure communication between an interrogator and an RFIDtag, said system including: means for singulating said tag in apopulation of RFID tags; means for extracting from said tag, identitydata adapted to uniquely identify said tag; means for securelycommunicating said identity data to a secure database; means forproviding authentication data by said database; means for securelycommunicating said authenticating data to said interrogator; and meansfor providing a further communication between said tag and saidinterrogator, wherein at least one stream of data between said tag andsaid interrogator includes random data generated via a random physicalprocess.
 2. A system according to claim 1 wherein said tag and saiddatabase each includes means for maintaining a count of secureauthentications.
 3. A system according to claim 2 wherein said count isseparately maintained by said tag and by said database and isincremented following each secure authentication.
 4. A system accordingto claim 1 wherein said interrogator includes said means for extractingand means for transmitting said authenticating data to said tag.
 5. Asystem according to claim 1 wherein said tag includes said means forproviding a further communication.
 6. A system according to claim 1including means for comparing said further communication with referencedata for determining if said tag is authentic.
 7. A system according toclaim 6 wherein said interrogator includes said comparing means.
 8. Asystem according to claim 6 wherein said database includes saidcomparing means.
 9. A system according to claim 1 wherein said tagincludes authentication test data for authenticating a transmission fromsaid interrogator and authentication reply data for encoding a reply.10. A system according to claim 9 wherein said tag includes a pluralityof said authentication data.
 11. A system according to claim 9 whereinsaid database includes a copy of said authentication data.
 12. A systemaccording to claim 9 wherein said authentication data is not reused. 13.A system according to claim 1 wherein said identity data includes afixed data string.
 14. A system according to claim 1 wherein saididentity data includes a variable data string.
 15. A system according toclaim 1 wherein said identity data is encrypted.
 16. A system accordingto claim 15 wherein said encryption includes an XOR operation of saidauthentication data and said identity data.
 17. A method for securecommunication between an interrogator and an RFID tag, said methodincluding: singulating said tag from a population of RFID tags;extracting from said tag, identity data adapted to uniquely identifysaid tag; securely communicating said identity data to a securedatabase; providing authentication data by said database; securelycommunicating said authentication data to said interrogator; andproviding a further communication between said tag and saidinterrogator, wherein at least one stream of data between said tag andsaid interrogator includes random data generated via a random physicalprocess.
 18. A method according to claim 17 including the step ofmaintaining a count of secure authentications.
 19. A method according toclaim 18 wherein said count is separately maintained by said tag andsaid database and is incremented following each secure authentication.20. A method according to claim 17 wherein said further communication isfrom said tag to said interrogator.
 21. A method according to claim 17including comparing said further communication with reference data fordetermining if said tag is authentic.
 22. A method according to claim 17wherein said tag includes authentication test data for authenticating atransmission from said interrogator and authentication reply data forencoding a reply.
 23. A method according to claim 22 wherein said tagincludes a plurality of said authentication data.
 24. A method accordingto claim 22 wherein said database includes a copy of said authenticationdata.
 25. A method according to claim 22 wherein said authenticationdata is not reused.
 26. A method according to claim 17 wherein saididentity data includes a fixed data string.
 27. A method according toclaim 17 wherein said identity data includes a variable data string. 28.A method according to claim 17 wherein said tag identity data isencrypted.
 29. A method according to claim 28 wherein said encryptionincludes an XOR operation of said authentication data and said identitydata.